What bit of information confirms the identity of an ssh server to a client?

This chapter discusses the solutions to deploy strong encryption to enhance network security. It discusses network encryption and why it is essential to the security of network. Network encryption ensures that data sent across a network from one host to another is secure. If a sniffer intercepts the data, it is unusable because the data is encrypted. Therefore, a hacker cannot view any usernames or passwords, and any information sent across the network, such as confidential data, is safe. To display the problems associated with unencrypted data transmission, one captures unencrypted network traffic and analyzes it for security vulnerabilities.

The Secure Shell (SSH) protocol is often used for remote management because it provides encrypted connections between a client and a remote device and enables an encrypted bidirectional communication path between two systems. For decades developers have relied on the SSH protocol to establish secure command-line sessions with Linux®/UNIX environments and networking devices. And with the proliferation of Internet of Things (IoT) devices, setting up SSH to enable a secure login is more useful than ever.

Using SSH in Client/Server Applications

SSH is a protocol used in client/server applications. The server runs an SSH server or daemon and the SSH client is installed by default on most UNIX and Mac systems and recent versions of Windows as well. There are other free and commercial versions available that provide additional features, like individually configuring and saving frequent connections. PuTTY is a popular free SSH client and VanDyke Software's SecureCRT is a popular commercial client.

You can use SSH for several activities that require a secure, remote connection to another device, such as:

• Secure file copy between a client and server
• Redirect network protocols over a secure tunnel
• Interactive command-line utility for remote management

Using SSH to Securely Copy Files

You can copy files over SSH using the Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP). Both copy files over TCP 22 but use different protocols. SSH handles the authentication and encryption. SFTP is an extension of the SSH protocol and requires an additional SFTP server on the server-side. SFTP includes a more robust command set like listing remote directories and removing files, which SCP cannot do.

Redirecting Network Traffic over an SSH Tunnel for Secure Remote Management

SSH also supports several other features like the ability to encapsulate other network traffic over an established SSH tunnel. For example, after you create an SSH tunnel, you could instruct a different app, like a web browser, to connect to your local host on a specific port. The system will then send subsequent network calls to a destination server. This allows remote connections to a network without exposing that service on the internet.

Using SSH’s Interactive Commands to Meet Your Remote Management Security Needs

SSH provides authentication and encryption functions that enable you to configure your system to meet your security requirements. By default, SSH is configured for username and password authentication, but you can add public key authentication and additional multi-factor authentication (MFA) provided through other modules (like OATH-TOTP). Multi-factor authentication proves more resilient against phishing attacks than a password alone because MFA requires at least one other factor beyond a password to confirm an identity.

SSH server configurations can be made on the command line, per user, or system-wide through a file called SSH_config, which is typically located in /etc/SSH/SSHd_config.

Configuring SSH for username and password authentication is easiest. By default, on many devices, you only need to create a user account on the server, assign a password, ensure the SSH server daemon is installed and listening, and you are ready to go.

On a client computer, log on to the server remotely using the command:
ssh username@remotehost

When you first log on to a new device, you will be presented with an alert that the authenticity of the server or device that you are connecting to cannot be verified. This is normal and an excellent security measure. The SSH client will show you the host key that was presented by the server. To ensure that the server you are connecting to is the actual server you intended to connect to (and not a spoof or man-in-the-middle), you should confirm its identity. On the server, use this command to output the server’s identity public key:

ssh-keygen -l -f

For example:

ssh-keygen -l -f ssh_host_ecdsa_key.pub

Then, compare this command’s output with the hash the SSH client presented you. You only need to do this once. The SSH client will save this entry in a list of all known hosts that you previously logged onto in the file ~/.SSH/known_hosts and will only alert you if a mismatch is detected.

Setting up certificates for authentication is a bit more complicated, but many internet sites detail the required steps. For example, a very good walkthrough is available on https://ssh.com. These sites show the specifics for installing and configuring SSH and certificates for different Linux distributions. The keys generated are actual credentials and just as important as a username and password and should be handled carefully and well protected. These certificates will allow access to your devices.

In general, the steps include:

1. Generate a key pair that includes an authorized key and identity key by running the command ssh-keygen. By default, ssh-keygen will create a new identity (private) and authorized (public) SSH Protocol 2 RSA key pair into the ~/.ssh directory. If you choose to enter a passphrase when creating your SSH keys, then you will be required to reenter this passphrase when attempting to use the key to log into the remote computer. Reentering the passphrase is a good security measure since the passphrase encrypts your private key and prevents an attacker from using it.
   
   From a command line on the client computer, run:
   ssh-keygen 
    
2. Copy the authorized key from the client computer to the server. Using the ssh defaults, this key has a .pub extension and is located alongside the identity key in the user's .ssh directory. After you run ssh-keygen to generate the ssh keys, run this on the client computer:
   
   /etc/SSH/SSHd_config.0
   
   This tool will look for the keys on your client computer and will log into the remote computer you specified and copy the keys into (a new) file, located at /etc/SSH/SSHd_config.1.

This completes the process in the simplest form. Now when you log into that remote device, it will use your certificate to authenticate you.

Specifying Which Encryption Cipher to Use

SSH also lets you specify which encryption cipher to use. Not all ciphers are equal and some you should avoid. Most modern Linux distributions default to acceptable encryption ciphers but older devices may not support these. To limit downgrading to remove ciphers that you don't want, edit the file /etc/SSH/SSHd_config.2 and specify the ciphers you wish to support. If your server or device supports a later version of OpenSSH, you can run the following command to invoke extended test mode, which will list many configuration options including what crypto algorithms are enabled:

/etc/SSH/SSHd_config.3

Refer to the OpenSSH website for current guidance on the best symmetric, host key, key exchange, and message authentication code algorithms to use. The National Institute of Standards and Technology (NIST) also offers recommendations of what encryption ciphers to avoid due to inadequate key length or the algorithms themselves.

Key Points:

SSH is a very powerful and useful tool to connect to a myriad of devices. IoT devices that allow interactive login will support SSH, and you should be wary of using those that do not on untrusted networks.

• The SSH standard includes tools that enable secure, remote administration of IoT devices and cloud infrastructure.
• SSH provides modern encryption and authentication controls, including multi-factor authentication using password-protected certificates.
• The OpenSSH suite of utilities provides all the tools you need to use SSH to remotely administer your Linux systems and network equipment.

« Back

Jeff Fellinge has over 25 years’ experience in a variety of disciplines ranging from Mechanical Engineering to Information Security. Jeff led information security programs for a large cloud provider to reduce risk and improve security control effectiveness at some of the world’s largest datacenters. He enjoys researching and evaluating technologies that improve business and infrastructure security and also owns and operates a small metal fabrication workshop. 

Related Posts

• SSH Part 3: Configuring SSH Reverse Tunnel to Reduce Exposed Ports

  You can use the Secure Shell (SSH) standard and tools for more than just secure remote administration. Learn how to use SSH port forwarding to securely connect to remote systems without exposing them to insecure networks.

• SSH Part 2: Configuring SSH from a Windows 10 Workstation

  Microsoft’s support for the Windows Subsystem for Linux and the OpenSSH standard increases your options to manage Linux-based cloud environments and IoT devices. Use these tools to securely authenticate your devices and encrypt all communications.

• High-Performance Connectivity in Robotics

  Successful robotics connectivity only happens by design. Read on to explore some of the critical design considerations that engineers should account for when developing industrial or commercial robotic applications and some of the products designed to ensure long-lasting, stable connections.

• Demystifying the RJ Connector

  The registered connector, better known as the RJ connector and commonly known as a modular connector, is one of the most frequently used connectors, present in almost every business and household in America. Yet, it is also one of the most misunderstood, and frequently plagues its users with doubts as to whether they are using the correct connector for their application.

• Robust and Reliable Connectivity

  Industrial automation is challenging enough without worrying about broken wires and connectors. Engineered for harsh environments, data rates up to 10Gb/s, and extreme conditions, these connectors and cables from TE Connectivity and ERNI provide designers with a simple solution for reliable wired connectivity.

• Connecting the Analog Devices ADICUP3029 to Medium One IoT Cloud

  The Analog Devices ADICUP3029 development board together with the cloud-based Medium One IoT Prototyping Sandbox provides hardware, software, and cloud-based tools to create applications that collect, process, and visualize IoT data.

5899 Views

Tagged With: Cloud security, Device security, Edge security, Encryption, Remote administration, SCADA, Secure shell, SSH

What is the significance of SSH protocol Class 10?

What protocol is used for secure remote connectivity for configuration?

Which protocol is used for secure remote CLI access?

Which protocol is based on SSH quizlet?